b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n   MONITORING CONTROLS FOR THE\n   CONSENT BASED SOCIAL SECURITY\n   NUMBER VERIFICATION PROGRAM\n\n\n     October 2012   A-03-12-11201\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xef\x82\xa6 Conduct and supervise independent and objective audits and\n       investigations relating to agency programs and operations.\n   \xef\x82\xa6   Promote economy, effectiveness, and efficiency within the agency.\n   \xef\x82\xa6   Prevent and detect fraud, waste, and abuse in agency programs and\n       operations.\n   \xef\x82\xa6   Review and make recommendations regarding existing and proposed\n       legislation and regulations relating to agency programs and operations.\n   \xef\x82\xa6   Keep the agency head and the Congress fully and currently informed of\n       problems in agency programs and operations.\n\n   To ensure objectivity, the IG Act empowers the IG with:\n\n   \xef\x82\xa6 Independence to determine what reviews to perform.\n   \xef\x82\xa6 Access to all information necessary for the reviews.\n   \xef\x82\xa6 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0cMEMORANDUM\n\nDate:   October 25, 2012                                                              Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Monitoring Controls for the Consent Based Social Security Number Verification Program\n        (A-03-12-11201)\n\n\n        OBJECTIVE\n        Our objective was to assess the Social Security Administration\xe2\x80\x99s (SSA) monitoring\n        controls for the Consent Based Social Security Number Verification (CBSV) program.\n\n        BACKGROUND\n        In Fiscal Year (FY) 2009, SSA implemented the CBSV program, which is a centralized,\n        automated process that quickly assists companies with consent-based Social Security\n        number (SSN) verification for non-program-related reasons. CBSV is available to\n        private businesses as well as Federal, State, and local government agencies that need\n        consent-based SSN verification.\n\n        Companies that wish to register to use CBSV must complete the registration process on\n        SSA\xe2\x80\x99s Business Services Online (BSO) 1 Website. As part of this process, companies\n        are required to sign a User Agreement; pay registration and transaction fees; and obtain\n        written consent from the individual before verifying their SSN through CBSV, as\n        required by the Privacy Act. 2 The Privacy Act states that, \xe2\x80\x9c. . . [n]o agency shall\n        disclose any record which is contained in a system of records by any means of\n        communication to any person, or to another agency, except pursuant to a written\n        request by, or with the prior written consent of, the individual to whom the record\n        pertains . . .\xe2\x80\x9d unless certain exceptions permit the disclosure, such as releasing the\n        information, subject to conditions, to the Congress or the Comptroller General. 3\n\n\n\n\n        1\n            BSO is a suite of Internet services for businesses and employers to exchange information with SSA.\n        2\n            The Privacy Act of 1974, as amended (Privacy Act), 5 U.S.C. \xc2\xa7 552a.\n        3\n         Privacy Act \xc2\xa7 552a (b). 5 U.S.C. \xc2\xa7 552a (b). See Appendix B for more details about the 12 exceptions\n        under the Privacy Act.\n\x0cPage 2 - The Commissioner\n\n\nCompanies are also required 4 to hire an independent certified public accountant (CPA)\nto assess the company\xe2\x80\x99s compliance with the terms and conditions of the User\nAgreement, especially the consent requirement. 5 The CPAs confirm companies are\nusing the Form SSA-89, Authorization for Social Security Administration (SSA) to\nRelease Social Security Number (SSN) Verification, 6 obtaining a valid consent from the\nindividual signing the form, and using CBSV only for the purpose indicated on the\nconsent form. SSA is responsible for determining the frequency of compliance reviews.\nAccording to the User Agreement, SSA anticipated that the compliance reviews would\nbe conducted annually with additional reviews as deemed appropriate.\n\nMETHODOLOGY\nAs shown in Table 1, in FYs 2009 to 2011, SSA processed approximately 3.4 million\nverification requests submitted by 75 companies. To accomplish our objective, we\ngained an understanding of CBSV\xe2\x80\x99s monitoring and compliance review process. In\naddition, we reviewed the 26 compliance reviews conducted by independent CPAs as of\nMay 2012. See Appendix E for further discussion of our scope and methodology.\n\n                      Table 1: CBSV Transactions - FYs 2009 Through 2011\n\n          Response          FY 2009       FY 2010       FY 2011         Total       Percentage a\n          Match b           778,070     1,100,222      1,352,077      3,230,369            95\n                      c\n          No Match           49,969         58,154        62,752        170,875              5\n                  d\n          Death                   61             65            50            176             0\n              Total         828,100     1,158,441      1,414,879      3,401,420           100\n         Note a: We rounded the percentage to the nearest whole number.\n         Note b: The information submitted for verification matches SSA\xe2\x80\x99s records.\n         Note c: The information submitted for verification does not match SSA\xe2\x80\x99s records.\n         Note d: The information submitted for verification matches SSA\xe2\x80\x99s records, but the records indicate\n                  that the numberholder is deceased.\n\nRESULTS OF REVIEW\nSSA\xe2\x80\x99s monitoring controls for the CBSV program need to be improved. The CBSV User\nAgreement requires that participating companies include the date of birth (DoB) on\nForm SSA-89. 7 However, SSA did not require the DoB as part of the matching criteria\nfor the CBSV program. As a result, SSA verified about 227,000 names and SSNs\nthrough CBSV without verifying DoB. Of the 227,000 transactions, 337 related to\n4\n The User Agreement established the conditions, terms, and safeguards for SSA to provide verification of\nSSNs to registered companies. See Section VI. Compliance Reviews.\n5\n    See Appendix C for more details about the compliance review process.\n6\n    See Appendix D for an example of Form SSA-89.\n7\n  The CBSV User Agreement requires that companies obtain a signed Form SSA-89 from each person\nfrom whom SSN verification is sought and the DoB must be completed.\n\x0cPage 3 - The Commissioner\n\n\nchildren who ranged in age from 2 months to 17 years. Because SSA verified the\nnames and SSNs without a DoB, it did not alert participating companies to possible\ndiscrepancies between the DoBs provided by individuals and the DoBs recorded in SSA\nrecords. These false positive responses may have contributed to the misuse of\nchildren\xe2\x80\x99s identities. We brought this issue to the Agency\xe2\x80\x99s attention in a 2009 report, 8\nbut SSA had not taken steps to require that participating companies submit the DoB as\npart of the verification request for the CBSV program.\n\nSSA\xe2\x80\x99s policy 9 allows parents or legal guardians with proper proof of relationship to give\nconsent to disclose nonmedical records for minor children. However, we found that the\nForms SSA-89 did not require that the relationship be specified for individuals who gave\nconsent to verify the names and SSNs of 126 children who ranged from ages 2 months\nto 11 years. Without proof of relationship, SSA could be improperly disclosing children\xe2\x80\x99s\npersonally identifiable information (PII) to third parties.\n\nFinally, SSA did not always require that participating companies conduct an annual\ncompliance review to ensure companies were complying with the terms and conditions\nof the User Agreement, especially the consent requirement. Specifically, of the\n58 companies that used the CBSV program during FYs 2009 and 2010, we found\n\n\xe2\x80\xa2     15 (26 percent) did not have a\n      compliance review, of which 8                             Status of Compliance Reviews\n      continued to use CBSV for SSN                                    FYs 2009 to 2010\n      verification during FYs 2011 and                 No                                        Compliance\n                                                   Compliance                                      Review\n      2012;                                          Review                                      Completed\n                                                      26%                                           45%\n\n\xe2\x80\xa2     17 (29 percent) were in various\n      stages of the compliance review\n      process; and\n\n\xe2\x80\xa2     26 (45 percent) had completed a              Compliance\n      compliance review.                             Review\n                                                    Initiated\n                                                      29%\nAdditionally, for the 15 companies that\ndid not have a compliance review, SSA had no assurance that these companies\nproperly obtained a valid consent from the individuals whose names and SSNs were\nverified or used the verification responses for the purpose indicated on the consent\nforms.\n\n\n\n\n8\n SSA, Office of the Inspector General (OIG), Consent Based Social Security Number Verification\nProgram (A-03-08-18067), July 2009.\n9\n    SSA, POMS, GN 03305.005 B.2.c (September 12, 2005).\n\x0cPage 4 - The Commissioner\n\n\nDATE OF BIRTH\n\nFor FYs 2009 to 2011, SSA verified about 227,000 names and SSNs that did not\ninclude the DoB even though the DoB was a required field on the consent form, see\nTable 2. We found that 337 of the names and SSNs related to children between ages\n2 months and 17 years.\n\n                        Table 2: CBSV Transactions by Submission\n                              Criteria FYs 2009 Through 2011\n                Submission        Total               Related to\n                  Criteria    Transactions Percent Children a Percent\n                   DoB          3,174,682        93      435     0.01\n                  No DoB          226,738         7      337     0.15\n                   Total        3,401,420       100      772     0.02\n               Note a: The total transactions related to children only represent transactions\n               where SSA provided a match response.\n\nOur July 2009 report 10 informed the Agency about our concerns regarding submission\ncriteria for the CBSV program. We found that while the DoB was a required element on\nthe consent form, SSA did not require the DoB as part of the matching criteria for the\nCBSV program. We recommended that SSA require that participating companies\nsubmit the DoB as part of the verification request for the CBSV program to help prevent\nthe Agency from providing participating companies false positive responses and\nincrease the probability that SSA would detect instances of SSN misuse.\n\nAlthough the Agency agreed with our recommendation, in May 2012, Agency staff\ninformed us that SSA would be amending the User Agreement to make the DoB\nmandatory on the consent form. 11 We do not believe this action sufficiently addressed\nthe recommendation\xe2\x80\x99s intent because the DoB was already a mandatory element on the\nconsent form, and as our review showed, some companies did not comply with this\nrequirement. In addition, making the DoB mandatory on the consent form will not\nprevent SSA from processing verification requests that do not include the DoB as\nshown in the examples below.\n\n\xe2\x80\xa2     On January 7, 2010, a company that provided verification services to mortgage\n      lenders, banks, credit unions, and other businesses verified the name and SSN of\n      an 11-year-old child. The consent form included a DoB of September 7, 1973, but\n      the company did not include this DoB as part of the verification request for a\n      mortgage. Had the company included the DoB on the consent form, SSA would\n      have provided a no-match response because the SSN belonged to a child who was\n      born on October 10, 1998. Our review of LexisNexis showed that in February 2010,\n\n10\n     SSA OIG, Consent Based Social Security Number Verification Program (A-03-08-18067), July 2009.\n11\n  In August 2012, after the completion of audit fieldwork, the Office of Management and Budget approved\nthe revisions to the revised User Agreement.\n\x0cPage 5 - The Commissioner\n\n\n       someone using the child\xe2\x80\x99s identity purchased a $157,000 house in California.\n       Furthermore, someone misused the child\xe2\x80\x99s identity for work purposes over a 9-year\n       period beginning in 2003. From 2003 to 2011, the child had approximately\n       $123,000 in wages posted to her earnings record by five different employers. In\n       reviewing SSA\xe2\x80\x99s Numident file, we found the mother and child shared the same first\n       and last name, which could indicate that the parent may have misused the child\xe2\x80\x99s\n       identity for work purposes and to obtain a mortgage. We referred this case to our\n       Office of Investigations (OI).\n\n\xe2\x80\xa2      On July 23, 2010, a company that provides employment verification services verified\n       the name and SSN of a 13-year-old child. The consent form included a DoB of\n       May 29, 1965, but the company did not include this DoB as part of the verification\n       request. The Numident showed that the child was born on January 16, 1997. The\n       purpose of the verification request was for employment verification, and the child\xe2\x80\x99s\n       earnings record showed that the same company that verified the child\xe2\x80\x99s SSN\n       reported wages for him in Tax Years (TY) 2010 and 2011. In fact, the child had\n       about $157,000 in wages posted to his earnings record for TYs 2004 through 2011\n       that were reported by 19 different employers. In addition, both the child and his\n       father shared the same first and last name, which could indicate that the parent may\n       have misused the child\xe2\x80\x99s identity for work purposes. We referred this case to OI.\n\nWe believe SSA needs to make a system change to the CBSV program to prevent\nverification requests that do not include a DoB from being submitted to protect the\nidentity of innocent numberholders and provide more assurance that a valid verification\nresponse is provided to third parties.\n\nPROOF OF CONSENT FOR CHILDREN\n\nAccording to SSA\xe2\x80\x99s disclosure policy, 12 proof of a parent or legal guardian\xe2\x80\x99s relationship\nto the minor is required before a request to provide records on behalf of the minor can\nbe accepted. Specifically, a parent or legal guardian who is acting on behalf of a minor\nchild may give consent to disclose nonmedical information, including the verification of a\nchild\xe2\x80\x99s name and SSN to a third party, but must first provide proof of the parent\xe2\x80\x99s or\nlegal guardian\xe2\x80\x99s relationship to the child. Such proof can consist of a birth record\nshowing the parent\xe2\x80\x99s name or documentation from a court reflecting the guardian\xe2\x80\x99s\nappointment. 13\n\nWe found that SSA verified the names and SSNs of 772 children even though the Form\nSSA-89 did not require that individuals who signed the consent form provide proof of\nrelationship to the child. The children ranged in age from 2 months to 17 years, and\n45 were under the age of 6 years, see Table 3.\n\n\n\n12\n     SSA, POMS, GN 03305.005 B.2.c (September 12, 2005).\n13\n     Id.\n\x0cPage 6 - The Commissioner\n\n\n                             Table 3: Age Range for Minor Children\n                              Minor Children Ages      Transactions\n                              2 months to 5 years old                45\n                                 6 to 11 years old                   81\n                                12 to 17 years old                  646\n                                       Total                        772\n\nWe reviewed 22 Forms SSA-89 from 5 companies that verified children and found the\nfollowing.\n\n\xe2\x80\xa2     Two consent forms appeared to be valid for disclosure because the Forms included\n      the relationship of the individual signing on behalf of the minor child. In both of these\n      instances, a parent gave permission for their child\xe2\x80\x99s SSN to be verified for claim\n      purposes. The children were 3 and 4 years old.\n\n\xe2\x80\xa2     Eight consent forms related to children between the ages of 12 and 17 years, who\n      could give consent. According to SSA policy, 14 \xe2\x80\x9c. .. . [a] minor may give consent to\n      disclose medical and nonmedical records if the office manager or reviewing central\n      office official is reasonably sure that the minor is capable of making a rational\n      decision to consent to the disclosure. . . The age of 12 may be used as a guideline\n      for when a child is old enough to make such a decision; however, this is not a hard\n      and fast rule. A child under 12 may be mature enough to consent while a child over\n      12 may not be able to do so. Consider each child's ability separately to protect the\n      child's rights.\xe2\x80\x9d While these children may be capable of giving consent, two of the\n      Forms appear to relate to SSN misuse. The dates on the Forms indicated the\n      verification requests were for adults (31- and 45-years old) when in fact the SSNs\n      belonged to children (12- and13-years old). Further, one of the Forms identified the\n      purpose of the verification request was for a mortgage. We referred these two cases\n      to OI.\n\n\xe2\x80\xa2     Twelve consent forms for children between ages 2 months and 11 years were not\n      valid for disclosure because the proof of relationship for the individual who signed on\n      behalf of the minor child was not established on the consent form. In addition, one\n      case appears to relate to SSN misuse. We found the DoB shown on the consent\n      form indicated that the verification request was for a 36 year old adult who was\n      seeking a mortgage when the SSN belonged to an 11\xe2\x80\x93year-old child. We referred\n      this case to OI.\n\nAdditionally, the participating companies needed to obtain documentation that provided\nproof of the parent or legal guardian\xe2\x80\x99s relationship to the child before accepting a\nrequest on the child\xe2\x80\x99s behalf from a parent or legal guardian. We made this\nrecommendation in our 2009 report, 15 and the Agency agreed to take the necessary\n14\n     SSA, POMS, GN 03305.005 B.3 (September 12, 2005).\n15\n     SSA OIG, Consent Based Social Security Number Verification Program (A-03-08-18067), July 2009.\n\x0cPage 7 - The Commissioner\n\n\nsteps to change the CBSV User Agreement. Without proper proof of relationship, SSA\nhad no assurance whether the individuals who signed the consent form had a legal right\nto do so. Further, the consent provided for the children may not be valid and could\nrepresent an improper disclosure.\n\nThrough discussions with SSA staff, we found that the CBSV consent form was missing\nelements required to identify valid consent on a child\xe2\x80\x99s behalf because the Agency\noriginally did not anticipate a situation where a parent would be signing on their child\xe2\x80\x99s\nbehalf. SSA had designed the CBSV program for third-party requesters to verify SSNs\nfor specific business needs, such as mortgages and lending. Therefore, the Agency did\nnot foresee a business need to verify a child\xe2\x80\x99s name and SSN. Agency staff informed\nus that they planned to revise the consent form and User Agreement. The revised Form\nSSA-89 will require the relationship of the individual signing the consent form on behalf\nof a minor child. SSA informed us it will revise the User Agreement to require that when\nparticipating companies verify the SSN of a minor under age 18, they must ensure that\nthe parent or legal guardian signed the consent form and retain proof of the relationship.\nIn August 2012, after the completion of audit fieldwork, OMB approved the revisions to\nthe revised User Agreement.\n\nMONITORING CONTROLS FOR COMPLIANCE REVIEWS\n\nSSA did not always require that participating companies conduct an annual compliance\nreview to ensure companies were complying with the terms and conditions of the User\nAgreement, especially the consent requirement. According to the User Agreement,\nSSA anticipated that the compliance reviews would be conducted annually with\nadditional reviews as deemed appropriate. Of the 58 companies that used the CBSV\nprogram during FYs 2009 and 2010, 26 had a compliance review, 17 were in various\nstages of the compliance review process, and 15 did not have a compliance review.\n\nCompliance Reviews Conducted\n\nWe found that 26 participating companies hired independent CPAs to conduct their\ncompliance reviews. These participating companies submitted between 687 and\n1.1 million verification requests in FYs 2009 and 2010, totaling about 2 million\nverification requests. As part of the compliance review process, 16 SSA will (1) request\nthat a company provide its CPA\xe2\x80\x99s contact information; (2) request an attestation letter\nfrom the CPA; (3) send transaction data to the CPA for testing during compliance\nreview; (4) ensure the CPA provides a report within 30 days after the review is\ncompleted; and (5) meet with the company to discuss the findings of the review, if\nnecessary.\n\nThe compliance review findings ranged from companies providing access to CBSV to\ntheir employees who were not approved by SSA and missing consent forms.\nSpecifically, we found 10 (38 percent) of the 26 participating companies did not always\n\n\n16\n     See Appendix C for details about the compliance review process.\n\x0cPage 8 - The Commissioner\n\n\nensure that the consent forms were completed as required. 17 The CPAs reported that\nsome consent forms had incorrect dates of birth and were missing signatures of the\nconsenting individuals, dates the consent forms were signed, and/or signee contact\ninformation.\n\nIn addition, a CPA found that a company could not produce any Forms SSA-89 for\nindividuals whose names and SSNs were verified. Specifically, the report showed that\nan Internet-based company that offered universal gift certificates did not obtain a signed\nvalid consent form from any of the approximately 1,900 individuals whose names and\nSSNs were verified through the CBSV program from November 2009 through\nJune 2010. Since the company did not obtain valid consent from the numberholders,\nSSA unknowingly, improperly disclosed PII to this company. The Agency immediately\ntook appropriate action by terminating the company\xe2\x80\x99s access to the CBSV program.\n\nCompliance Reviews Scheduled\n\nDuring our audit, SSA initiated compliance reviews for 17 participating companies that\nsubmitted about 19,000 verification requests during FYs 2009 and 2010, ranging from\n11 to 3,028 verification requests. As shown in Table 4, the compliance reviews were in\nvarious stages. As of May 2012, the CPAs had not completed these compliance\nreviews.\n\n           Table 4: Status of Scheduled Compliance Reviews (as of May 2012)\n                                   Status                          Total\n           Requested or received CPA information from company       12\n                                            a\n           Requested or received attestation letter from CPA         3\n           Sample data sent to CPA for compliance review             2\n                                    Total                           17\n          Note a: The CPA firm sends and signs an attestation letter explaining that it is performing\n          the agreed upon engagement procedures for the participating company. The CPA\n          agrees to protect the confidentiality of PII, provide SSA with a report 30 days after the\n          engagement, and destroy the data SSA sent 30 days after the engagement is completed.\n\nNo Compliance Reviews Conducted\n\nWe found that 15 participating companies submitted approximately 26,000 verification\nrequests in FYs 2009 and 2010 but did not have compliance reviews. SSA requested\nthat 4 of the 15 companies that submitted approximately 25,000 verification requests\nconduct a compliance review, but the companies refused citing the cost associated with\nhiring a CPA firm to conduct the review. Their refusal was a clear violation of the User\nAgreement, and SSA took appropriate action by terminating their access to the CBSV\nprogram. 18\n\n17\n     SSA, POMS, GN 03305.001 B.2 (September 12, 2005).\n18\n     In addition, SSA referred one of the company\xe2\x80\x99s to OI for non-compliance of the CBSV User Agreement.\n\x0cPage 9 - The Commissioner\n\n\nAdditionally, three participating companies that did not have a compliance review\nvoluntarily stopped using CBSV. In FY 2009, the 3 companies submitted\n294 verification requests. At that time, the cost per transaction was $5.00, and the high\ncost may have contributed to the companies not using the program. SSA did not\nrequest that the remaining eight companies conduct a compliance review even though\nthey continued to use the CBSV program during FYs 2011 and 2012. As shown in\nTable 5, while the number of transactions submitted by these companies was relatively\nsmall in FYs 2009 and 2010 (550 transactions), their use increased significantly in\nFY 2012 when the fee for the CBSV program was reduced to $1.05 per transaction.\n\n           Table 5: Status of Companies Without Compliance Review\n                               Number of          CBSV Transactions\n            Status             Companies    2009     2010     2011                2012\n  Refused Compliance Review        4       14,724    9,795    4,981                 -\n  Stopped Using CBSV               3          294         -        -                -\n  Continued to Use CBSV            8          390      156      271               677\n             Total                15       15,408    9,951    5,252               677\n\nAccording to SSA staff, the Agency did not request that the 11 participating companies\nconduct compliance reviews because their verification requests did not meet the\nAgency\xe2\x80\x99s threshold of 500 or more verifications cumulatively or in 1 year. When asked,\nAgency staff could not explain the basis for this threshold and whether it was based on\na risk assessment or any other requirement. Therefore, it is not clear whether the\namount of verifications submitted is a good indicator of whether a company will comply\nwith the terms and conditions of the User Agreement. In fact, we found that 6 of the\n11 companies were not complying with the User Agreement because they submitted\nverification requests that did not include the numberholder\xe2\x80\x99s DoB. We discussed this\nfinding in more detail earlier in the report. We believe SSA should follow the guidance\nincluded in its User Agreement, which states that the compliance reviews would be\nconducted annually with additional reviews as deemed appropriate. Requiring annual\ncompliance reviews would provide SSA with more assurance that it is properly\ndisclosing records protected by the Privacy Act. In June 2012, after the completion of\nthe audit fieldwork, SSA awarded a contract to a CPA firm to conduct compliance\nreviews for 16 selected companies using the existing criteria included in the User\nAgreement. In addition, the CPA firm is tasked to provide SSA with recommendations\non how to improve CBSV User Agreement requirements, compliance review criteria,\nand related business processes.\n\nCONCLUSION AND RECOMMENDATIONS\nOverall, SSA\xe2\x80\x99s monitoring controls for the CBSV program need to be improved to help\nensure the Agency is properly disclosing numberholders\xe2\x80\x99 information to third parties in\naccordance with the Privacy Act. Our review revealed that SSA allowed participating\ncompanies to submit about 227,000 verification requests without including the DoB,\nwhich led to SSA providing false positive responses and contributed to the misuse of\nchildren\xe2\x80\x99s identities. Further, SSA did not always require that participating companies\n\x0cPage 10 - The Commissioner\n\n\nconduct an annual compliance review to ensure companies were complying with the\nterms and conditions of the User Agreement, especially the consent requirement. In\naddition, the Form SSA-89, used to provide consent for the CBSV program, did not\nrequire the relationship of the individuals who gave consent to verify the names and\nSSNs of 126 children who ranged in age from 2 months to 11 years, and companies did\nnot always obtain consent. Finally, we found the companies were not required to obtain\nor retain proof of the parent or legal guardian\xe2\x80\x99s relationship to the child before accepting\na request on the child\xe2\x80\x99s behalf. In August 2012, SSA revised the User Agreement\nrequiring that companies obtain and retain proof of relationship for consent for minors.\nAs a result, we believe SSA needs to take steps to improve its monitoring controls of the\nCBSV program to ensure compliance with the terms and conditions of the User\nAgreement and avoid improper disclosure of PII.\n\nAccordingly, we recommend SSA:\n1. Make a systems change to the CBSV program to prevent the processing of\n   verification requests without a DoB.\n2. Justify and document why the eight companies were not required to have a\n   compliance review but continued to use CBSV.\n3. Require that participating companies conduct a compliance review at least annually.\n\nAGENCY COMMENTS\nThe Agency agreed with Recommendations 2 and 3. SSA disagreed with\nRecommendation 1 stating that it was cost-prohibitive to change the CBSV system to\nincorporate the DoB in the verification process at this time. However, the Agency stated\nit would reevaluate this decision in the future, as resources allow. In the interim, the\nAgency plans to include more SSN verification disclosures related to minors\xe2\x80\x99 records in\nthe audit compliance review certified public accountants conduct for participating\ncompanies. The full text of SSA\xe2\x80\x99s comments is included in Appendix F.\n\nOIG RESPONSE\nThe cost to change the CBSV system to incorporate the DoB in the verification program\nshould not be prohibitive because SSA is reimbursed all costs incurred to operate and\nmanage CBSV through fees paid by participating companies. Annually, SSA assesses\nthe cost to operate CBSV and adjusts its fees accordingly. This helps ensure that the\nAgency\xe2\x80\x99s appropriation does not bear the cost for CBSV since it does not directly relate\nto the administration of SSA programs. Therefore, we encourage the Agency to\nreconsider and implement our recommendation sooner rather than later to protect the\nidentity of children and provide more assurance that a valid verification response is\nprovided to third parties.\n\n\n                                          Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                       Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Exceptions Under the Privacy Act\n\nAPPENDIX C \xe2\x80\x93 Compliance Review Process\n\nAPPENDIX D \xe2\x80\x93 Authorization for the Social Security Administration (SSA) to Release\n             Social Security Number (SSN) Verification (Form SSA-89)\n\nAPPENDIX E \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX F \xe2\x80\x93 Agency Comments\n\nAPPENDIX G \xe2\x80\x93 OIG Contacts and Staff Acknowledgment\n\x0c                                                              Appendix A\n\nAcronyms\nBSO      Business Services Online\nCBSV     Consent Based Social Security Number Verification\nCPA      Certified Public Accountant\nDoB      Date of Birth\nFY       Fiscal Year\nOI       Office of Investigations\nOIG      Office of the Inspector General\nOMB      Office of Management and Budget\nPII      Personally Identifiable Information\nPOMS     Program Operations Manual System\nSSA      Social Security Administration\nSSN      Social Security Number\nTY       Tax Year\n\n\nForm\nSSA-89   Authorization for the Social Security Administration (SSA) to\n         Release Social Security Number (SSN) Verification\n\x0c                                                                             Appendix B\n\nExceptions Under the Privacy Act\nThe Privacy Act prohibits agencies from disclosing any record, which is contained in a\nsystem of records by any means of communication, to any person, or to another\nagency, except pursuant to a written request by, or with the prior written consent of, the\nindividual to whom the record pertains, unless disclosure would be: 1\n\n1. to those officers and employees of the agency which maintains the record who have\n   a need for the record in the performance of their duties;\n\n2. required under section 552 of this title;\n\n3. for a routine use as defined in subsection (a)(7) of this section and described under\n   subsection (e)(4)(D) of this section;\n\n4. to the Bureau of the Census for purposes of planning or carrying out a census or\n   survey or related activity pursuant to the provisions of Title 13;\n\n5. to a recipient who has provided the agency with advance adequate written\n   assurance that the record will be used solely as a statistical research or reporting\n   record, and the record is to be transferred in a form that is not individually\n   identifiable;\n\n6. to the National Archives and Records Administration as a record which has sufficient\n   historical or other value to warrant its continued preservation by the United States\n   Government, or for evaluation by the Archivist of the United States or the designee\n   of the Archivist to determine whether the record has such value;\n\n7. to another agency or to an instrumentality of any governmental jurisdiction within or\n   under the control of the United States for a civil or criminal law enforcement activity if\n   the activity is authorized by law, and if the head of the agency or instrumentality has\n   made a written request to the agency which maintains the record specifying the\n   particular portion desired and the law enforcement activity for which the record is\n   sought;\n\n8. to a person pursuant to a showing of compelling circumstances affecting the health\n   or safety of an individual if upon such disclosure notification is transmitted to the last\n   known address of such individual;\n\n\n\n\n1\n    The Privacy Act of 1974, as amended (Privacy Act), 5 U.S.C. \xc2\xa7 552a(b).\n\n\n                                                    B-1\n\x0c9. to either House of Congress, or, to the extent of matter within its jurisdiction, any\n   committee or subcommittee thereof, any joint committee of Congress or\n   subcommittee of any such joint committee;\n\n10. to the Comptroller General, or any of his authorized representatives, in the course of\n    the performance of the duties of the Government Accountability Office;\n\n11. pursuant to the order of a court of competent jurisdiction; or\n\n12. to a consumer reporting agency in accordance with section 3711(e) of Title 31.\n\n\n\n\n                                            B-2\n\x0c                                                                     Appendix C\nCompliance Review Process\nParticipating companies are required to sign a User Agreement; pay registration and\ntransaction fees; and obtain written consent from the individual before verifying the\nindividual\xe2\x80\x99s Social Security number through the Social Security Administration\xe2\x80\x99s (SSA)\nConsent Based Social Security Number Verification (CBSV) program. Moreover,\ncompanies are to bear all costs associated with hiring an independent certified public\naccountant (CPA) to assess the company\xe2\x80\x99s compliance with the terms and conditions of\nthe User Agreement, especially the consent requirement.\n\nThe CPAs are required to follow standards established by the American Institute of\nCertified Public Accountants. In addition, they are not supposed to have a professional\nor personal affiliation with the CBSV registered company, including previous\nemployment. However, the CBSV registered company may use the CPA that performs\nits annual financial audit.\n\x0c                                     Appendix D\nAuthorization for the Social Security\nAdministration (SSA) to Release Social Security\nNumber (SSN) Verification (Form SSA-89)\n\x0cD-1\n\x0cD-2\n\x0c                                                                     Appendix E\nScope and Methodology\nTo accomplish our objective, we:\n\n\xe2\x80\xa2   Reviewed applicable Federal law and regulations as well as the Social Security\n    Administration\xe2\x80\x99s (SSA) policies and procedures as they relate to privacy and\n    disclosure of personal information maintained in SSA\xe2\x80\x99s official records.\n\n\xe2\x80\xa2   Reviewed the Consent Based Social Security Number Verification (CBSV) program\n    User Agreement.\n\n\xe2\x80\xa2   Reviewed 26 CBSV compliance reviews completed as of May 2012.\n\n\xe2\x80\xa2   Obtained CBSV transaction data for Fiscal Years (FY) 2009 through 2011.\n\n    o For FY 2009, 48 companies submitted 828,100 verification requests.\n    o For FY 2010, 53 companies submitted 1,158,441 verification requests.\n    o For FY 2011, 64 companies submitted 1,414,879 verification requests.\n\n\xe2\x80\xa2   Obtained a list of CBSV registered users.\n\n\xe2\x80\xa2   Gained an understanding of the CBSV compliance review process.\n\n\xe2\x80\xa2   Obtained copies of signed Forms SSA-89, Authorization for the Social Security\n    Administration to Release Social Security Number Verification, for 22 children whose\n    names and SSNs verified through CBSV between January 7, 2010 and\n    September 15, 2011.\n\nWe determined that the CBSV data used for this audit were sufficiently reliable to meet\nour objective. The Office of Public Service and Operations Support is responsible for\nmanaging the CBSV program, which is under the Office of the Deputy Commissioner for\nOperations. Our work was conducted at the Philadelphia Audit Division, Philadelphia,\nPennsylvania, from January through June 2012. We conducted this performance audit\nin accordance with generally accepted government auditing standards. Those\nstandards require we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objective.\n\x0c                  Appendix F\n\nAgency Comments\n\x0c                                      SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:   September 27, 2012                                                     Refer To: S1J-3\n\nTo:     Patrick P. O\xe2\x80\x99Carroll, Jr.\n        Inspector General\n\nFrom:   Dean S. Landis /s/\n        Deputy Chief of Staff\n\nSubject: Office of the Inspector General Draft Report, \xe2\x80\x9cMonitoring Controls for the Consent Based Social\n        Security Number Verification Program\xe2\x80\x9d (A-03-12-11201)\xe2\x80\x94INFORMATION\n\n        Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n        Please let me know if we can be of further assistance. You may direct staff inquiries to Amy\n        Thompson at (410) 966-0569.\n\n        Attachment\n\n\n\n\n                                                      F-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cMONITORING CONTROLS FOR THE CONSENT BASED SOCIAL SECURITY\nNUMBER VERIFICATION PROGRAM\xe2\x80\x9d (A-03-12-11201)\n\n\nRecommendation 1\n\nMake a systems change to the CBSV program to prevent the processing of verification requests\nwithout a DoB.\n\nResponse\n\nWe disagree. We find it cost prohibitive to change our system to incorporate the date of birth\n(DoB) in the verification process at this time. We will reevaluate this decision in the future, as\nresources allow. In the interim, we will include more Social Security number (SSN) verification\ndisclosures related to minors\xe2\x80\x99 records in the audit compliance review certified public accountants\nconduct for participating companies. This inclusion will strengthen efforts to ensure companies\xe2\x80\x99\ncompliance with the revised user agreement requirements for verifying minors\xe2\x80\x99 SSNs.\n\nRecommendation 2\n\nJustify and document why the eight companies were not required to have a compliance review\nbut continued to use CBSV.\n\nResponse\n\nWe agree. Previously, we determined it was not cost effective to initiate compliance reviews for\ncompanies that use the Consent Based Social Security Verification (CBVS) program for fewer\nthan 500 verification requests. These eight companies submitted far fewer than 500 verification\nrequests in fiscal year (FY) 2011. Five companies ranged from 0-6 requests, two companies had\n33-46 requests, and one company had 238 requests. With the exception of one, all of the\ncompanies continued their agreement with us in FY 2012.\n\nOn August 2, 2012, the Office of Management and Budget approved our revised user agreement,\nwhich includes instructions for a mandatory annual compliance review at the user\xe2\x80\x99s expense. It\nstates, \xe2\x80\x9cSSA will determine the frequency of the Requesting Party\xe2\x80\x99s compliance review, which\nmust be no less frequently than annually, with additional reviews as determined appropriate.\xe2\x80\x9d\n\nAdditionally, we recently contracted with a vendor to perform independent compliance reviews\non our behalf. We expect these reviews to provide additional guidance and recommendations for\nthe compliance review process. We consider this recommendation closed for tracking purposes.\n\n\n\n\n                                               F-2\n\x0cRecommendation 3\n\nRequire that participating companies conduct a compliance review at least annually.\n\nResponse\n\nWe agree. As stated in our response to recommendation 2, we recently revised our requirements\nand now require an annual review regardless of the number of verification requests. We consider\nthis recommendation closed for tracking purposes.\n\n\n\n\n                                              F-3\n\x0c                                                                         Appendix G\n\nOIG Contacts and Staff Acknowledgment\nOIG Contacts\n\n   Cylinda McCloud-Keal, Director, Philadelphia Audit Division\n\n   Virginia Harada, Audit Manager\n\nAcknowledgment\n\nIn addition to those named above:\n\n   David Domzalski, Auditor-in-Charge\n\nFor additional copies of this report, please visit our Website at http://oig.ssa.gov/ or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Staff at (410) 965-4518.\nRefer to Common Identification Number A-03-12-11201.\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"